Permissions: Basic users and above, who can manage and configure SSO

Product tier: Available for Advanced and Expert subscription tiers

Note: If you have questions regarding enabling Single Sign-On through ADFS, please click here to contact the Greenhouse Technical Support team.

Add Greenhouse as a Relying Party Trust

Note: These instructions were created using Windows Server 2012 R2 and ADFS 3.0.

Navigate to your AD FS Management tool, then open the Trust Relationships folder in the left sidebar.

In the Trust Relationships folder, open the Relying Party Trusts folder.

Click Add Relying Party Trusts under the Actions bar on the right side of the screen. The Add Relying Party Trust Wizard will open.

Click Start on the Welcome page.

Select Enter data about the relying party manually on the Data Source page and enter the following information for Greenhouse Recruiting:

  • ACS URL: Obtained following the steps listed here.
  • Entity ID: greenhouse.io (Note: This field does not include https://)

1_select_data_source.png

Enter Greenhouse in the Display Name field, and add any additional notes.

Select AD FS profile on the Choose Profile page.

2_choose_profile.png

Click Next to skip the Configure Certificate page without making any selections.

3_choose_cert__skip_.png

On the Configure URL page, take the following steps:

  • Check the box for Enable support for the SAML 2.0 WebSSO protocol.
  • Enter your Greenhouse Recruiting ACS URL.

Note: Click here to learn how to retrieve your ACS URL from your Greenhouse Recruiting account.

4_configure_url.png

Enter the following information on the Configure Identifers page:

  • Relying party trust identifier: greenhouse.io

5_identifer_1.png

When you're finished, click Add

6_identifier_2.png

Note: Multi-factor authentication is not required for this integration. However, if you would like to add it, it can be configured on the next page.

Select Permit all users to access this relying party on the Choose Issuance Authorization Rules page.

Click Next on the Ready to Add Trust page without making any changes.

7_ready.png

Select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox on the Finish page. When you're done, click Close.

Create Claim Rules for Greenhouse

Closing the Add Relying Party Trust Wizard will automatically open the Edit Claim Rules Wizard for Greenhouse. Here, you will configure the attributes that AD FS will send to Greenhouse.

Click Add Rule.

Select Send LDAP Attributes as Claims from the dropdown menu.

Name the claim rule LDAP Email and Full Name and select the Active Directory attribute store and enter the following rules in the field.

LDAP Attribute Outgoing Claim Type
E-Mail-Addresses E-Mail Address
Given-Name

Type User.FirstName in the field

Surname

Type User.LastName in the field

You will now see the new rule in your list of claim rules for Greenhouse Recruiting. Click Add Rule to add the next rule.

Select Transform an Incoming Claim from the dropdown menu.

Configure the following on the next page:

  • Name the claim rule Email Transform
  • Set the Incoming claim type to E-Mail Address
  • Set the Outgoing claim type to Name ID
  • Set the Outgoing name ID format to Email
  • Select Pass through all claim values

Both rules will appear in the list. Click Apply and OK to close the Wizard.

Edit Trust Settings

The final step will be to edit the trust settings for Greenhouse.

On the Relying Party Trusts page of the AD FS Management Tool, select Greenhouse from the list of Relying Party Trusts. Then, click Properties under the Actions bar on the right side of the page.

The Identifiers tab should contain your Display name and Greenhouse’s Relying party identifier (In this setup, it will say greenhouse.io).

Set the NotBeforeSkew Parameter

When a user logs in through ADFS, the SAML Response to Greenhouse will contain "NotBefore" and "NotOnOrAfter" attributes that designate the timeframe during which the SAML Response is valid. However, the ADFS server clock and the Greenhouse server clock may become out of sync so that the timestamp of the SAML Response sets to a time earlier than the one established in the "NotBefore" attribute. In this case, the SAML Response will not be valid and the user will not be able to log in.

To ensure that your users are not affected by server synchronization issues, please set a skew of at least two minutes on the "NotBefore" attribute by following the instructions below:

Open your Powershell in ADFS.

8_open_powershell.png

Check the current NotBeforeSkew by running the following command in the Powershell:

Get-ADFSRelyingPartyTrust –identifier "greenhouse.io”

1.png

In the Powershell response, scroll to the attribute "NotBeforeSkew." The number next to the "NotBeforeSkew" will be the current time skew of that attribute in minutes.

Set the "NotBeforeSkew" to be 2 minutes by running the following command in the Powershell:

Set-ADFSRelyingPartyTrust –TargetIdentifier “greenhouse.io" –NotBeforeSkew 2

2.png

Check the new "NotBeforeSkew" by running the following command again:

Get-ADFSRelyingPartyTrust –identifier “greenhouse.io”

*The NotBeforeSkew should now be set to 2.

Configure a Single Logout URL (Optional)

The final step is to configure a Single Logout URL. This is optional.

Open the Greenhouse Properties dialog box by clicking the Properties button in the Actions sidebar.

Navigate to the Endpoints tab. You'll see the ACS URL from Greenhouse's Metadata file in the list of Endpoints. To add a Single Logout URL, click Add SAML.

11_set_logout_url_1.png

Configure the following in the Add an Endpoint window:

  • Set the Endpoint type to SAML Logout
  • Set Binding to POST
  • In the Trusted URL textbox, enter your Single Logout URL.

Both the ACS URL from Greenhouse and your Single Logout URL will display in the list of Endpoints for Greenhouse. To complete the process, click Apply, then click OK.

12_set_logout_url_2.png

You're now ready to test your ADFS configuration. Please follow the steps here to soft-enable SSO in Greenhouse Recruiting so your team can test the configuration internally.